3 Replies Latest reply: Apr 19, 2017 6:50 AM by Chris Hunt RSS

Isilon - SMB share access troubleshooting

Chris Hunt

Community,

 

 

This test cluster is giving me fits and trying to figure out why I cant seem to access this SMB share I created?  Could it be the directory permissions that stopping me?

 

Directory Permissions:

[MYCLUSTER]-2# ls -lzed ifs

drwxrwx--x    7 root  wheel  136 Oct  3  2015 ifs

OWNER: user:root

GROUP: group:wheel

SYNTHETIC ACL

0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child

1: group:wheel allow dir_gen_read,dir_gen_write,dir_gen_execute,delete_child

2: everyone allow dir_gen_execute,dir_read_attr

 

 

 

 

Share Permissions:

[MYCLUSTER]-2# isi smb share view test$

                                     Share Name: test$

                                           Path: /ifs

                                    Description:

                     Client-side Caching Policy: manual

Automatically expand user names or domain names: False

Automatically create home directories for users: False

                                      Browsable: True

Permissions:

Account                   Account Type  Run as Root  Permission Type  Permission

--------------------------------------------------------------------------------------------------------------------

[DOMAINNAME]\Me user                False            allow                   full

--------------------------------------------------------------------------------------------------------------------

Total: 1

 

          Access Based Enumeration: No

Access Based Enumeration Root Only: No

             Allow Delete Readonly: No

              Allow Execute Always: No

                     Change Notify: norecurse

                Create Permissions: default acl

             Directory Create Mask: 0775

             Directory Create Mode: 0000

                  File Create Mask: 0764

                  File Create Mode: 0100

                    Hide Dot Files: No

                          Host ACL: -

                 Impersonate Guest: never

                  Impersonate User:

                 Mangle Byte Start: 0XED00

                        Mangle Map: 0x01-0x1F:-1, 0x22:-1, 0x2A:-1, 0x3A:-1, 0x3C:-1, 0x3E:-1, 0x3F:-1, 0x5C:-1

                  Ntfs ACL Support: Yes

                           Oplocks: Yes

                      Strict Flush: Yes

                    Strict Locking: No

 

 

Everytime I try to access this from my windows workstation I get "Windows cannot access [Server]"

 

 

 

 

Thank you,

  • 1. Re: Isilon - SMB share access troubleshooting
    Chris Klosterman

    I mean at first glance of course naming it with a dollar sign $ will administratively hide it. But I'm guessing you know that.  Are you trying to access it via \\smartconnectzonename.domain.xyz\test$ and it's not working?  Then odds are pretty good that it's an NTFS permissions issue.  That said your path is /ifs, and NEVER put NTFS ACLs on /ifs, you'll probably break the cluster.  Are you just trying to allow yourself as an administrator to browse the tree?  Then give just your admin account run-as-root rights to the share.  Be extremely careful with how you use this because as the name implies it gives you effectively root access over SMB.  While useful for administrative purposes or for data migrations, it can be a real mess if you ever put that on a user-facing share.

    The other possible issue is an SPN issue.

    'isi auth ads spn check --domain=domain.xyz"

    will show you if you have any SPNs missing.

     

    Hope it helps,

    Chris Klosterman

    Principal SE, Datadobi

    chris.klosterman@datadobi.com

  • 2. Re: Isilon - SMB share access troubleshooting
    Chris Hunt

    Yes, I am intensionally hiding the share.  I am trying to access it via \\[SERVER.DOMAIN.xyz]\test$ and its not working.  I have no plans to add NFTS permissions to /ifs and was hoping I wouldn't have to.  Yes, per the instructions for the Isilon Search tool, I need to give it permissions to access the share for /ifs.  Isilon Search don't require a run-as-root right to perform this task of scanning the entire filesystem. 

     

    I will verify the SPN isn't an issue and reply to this tomorrow morning.

     

     

    Thank you,

  • 3. Re: Isilon - SMB share access troubleshooting
    Chris Hunt

    Ok this is what I got:

     

        

     

    SERVER-2# isi auth ads spn check --domain=DOMAIN.DOMAIN.xyz

    Missing Service Principal Names:

        nfs/SERVER3

        nfs/SERVER.DOMAIN.xyz

        nfs/SERVER-nfs.DOMAIN.xyz

        nfs/SERVER-mgmt.DOMAIN.xyz

     

    Additional Service Principal Names:

        HOST/SERVER1

        HOST/SERVER1.DOMAIN.xyz

     

     

    SERVER-2# isi auth ads spn list --domain=DOMAIN.DOMAIN.xyz

    SPNs registered for SERVER3$:

            HOST/SERVER-mgmt.DOMAIN.org

            HOST/SERVER-nfs.DOMAIN.org

            HOST/SERVER-mgmt

            HOST/SERVER-nfs

            HOST/SERVER.DOMAIN.org

            HOST/SERVER

            HOST/SERVER1

            HOST/SERVER1.DOMAIN.org

            HOST/SERVER3

            HOST/SERVER3.DOMAIN.DOMAIN.xyz